By now, pretty much everyone knows about the ever-expanding number of data privacy laws around the world, and the need for consent to process personal data from users online. Added to that are a growing number of requirements levied on businesses from influential tech platforms. As enforcement expands, the risk of revenue loss can bring a far more immediate and pressing impact on digital marketing strategy and operations.
Fortunately, there is a way forward and marketers are already embracing it. The evolution away from third-party cookies and the data they collect has been in process for some time. These changes continue to ramp up as companies have increasing motivation to adapt their digital marketing and privacy compliance practices to protect revenue operations.
We look at the practicalities that come with the end of third-party cookies, why new data sources bring greater opportunities for marketers, and what privacy-led marketing promises for growth in the era of greater customer control and choice.
How are privacy regulations influencing the changes in marketing?
A number of legacy marketing operations now need to be conducted in new ways to meet privacy compliance requirements. Some older technologies are being phased out, and new ones are being developed and evolving. Marketing is increasingly being seen as and conducted as an ecosystem, where all tools and activities are connected and influenced, if not outright controlled, by data privacy. New tools are increasingly becoming necessary to better manage this ecosystem, to enable more successful campaigns, analysis, and optimization that are compliant with regulatory and business requirements.
Consumers online are also increasingly aware of their rights as granted by these regulations, and how they pertain to companies’ access to and use of their personal data. Companies can’t just take what they want. Some types and tactics in digital marketing could have negative effects on brand reputation these days.
“We need to understand how data is flowing, what data we actually need, and to really challenge that — not to collect everything but to get first-party data and build strategies around that.”
– Sandra Wojciechowska, Data Protection Officer & Head of Consent Management, e-dialog (Consented podcast, Episode 3: Is Privacy-led Marketing the solution to the cookieless future?)
It has been common in the past to collect a lot of third-party data from people online, much of it without their awareness, and certainly without their consent. Regulations now prevent that in many cases around the world. More and more, companies must notify users about what personal data they collect, how, for what purposes, and who may have access to it, among other things. No more harvesting vast amounts of data from anywhere companies can get it.
Many privacy regulations now also require companies to get user consent before collecting or processing their data, or at least meet requirements for a different legal basis before doing so. Even in areas like the United States where prior consent is not required in many cases, people must have the option to opt out of companies’ processing of their data.
All of this affects how companies can interact with customers and users, how they get information about them, how they run campaigns and analyze performance, and more. The good news is that privacy-led marketing enables companies to do all of these things in more sophisticated and lucrative ways than before.
What are the issues with third-party cookies?
Third-party cookies are typically set by domains (companies) other than the one operating a website. They’re set by elements integrated into the website, rather than built as part of the website itself, and they track people across the internet, not just while they’re on a particular website.
Sometimes information about how they function, what data they collect, and who receives that data is known or easily accessible to website operators, and therefore easily communicated. Those third-party services can also be more easily controlled, enabling compliance with data privacy requirements.
Plenty of these services, however, are nested several layers deep, and run by vendors, for other vendors, for yet other vendors. This obfuscates their presence and functions from the website operator, not to mention the website users. This can be a problem for controlling all data-collecting services and for transparently providing comprehensive information to users, as well as for getting valid consent for data use.
Why are third-party cookies being phased out?
The strategy with third-party data collected via these services has largely been “get as much as you can and sort it out later”. Third-party cookies certainly did provide marketers with a lot of data. There are obvious issues with transparency and consent, and thus for data privacy compliance. Additionally, much of the data has been of poor quality, and needs to be combined with vast amounts of other data to enable meaningful analysis and application.
This data use also does little to build trust with customers and develop long-term engagement and relationships. Customers feel a lack of control over what should belong to them. Increasingly, ensuring people feel in control over their data and building trust with your company is critical for effective marketing. Laws are only getting more strict, activists continue to push for change, and consumers are becoming more savvy about their data and rights. In a nutshell: it just doesn’t work well anymore.
Third-party cookie use is an old, imperfect, and blunt instrument for marketing purposes. Fortunately, technologies have evolved along with privacy regulations. Marketers have more precise and sophisticated tools now to know what data collecting services are in use, provide transparency to users, obtain data with consent, and use both the consent and the data in smarter, more integrated ways throughout the marketing ecosystem.
It’s important to note, however, that as Usercentrics CMO Adelina Peltea noted in our recent episode of the Consented podcast, “Cookieless does not mean all cookies are disappearing.”
Google is phasing out third-party cookies in Chrome – why it’s important
Google announced that they would be phasing out the use of third-party cookies several years ago. Their plans for how to do so and the exact timeline for the changes have evolved several times. However, Google began disabling third-party cookies in early January 2024 in the Chrome browser.
Google is actually late to the party, as Mozilla’s Firefox, Brave Software’s Brave, and Apple’s Safari browsers have blocked third-party cookie use for some time.
Why are changes to cookie use in Chrome influential?
This initiative initially affected about one percent of Chrome’s global users, with the rollout to expand over the course of the year until third-party cookies are fully deprecated in Chrome. While this is only one web browser, Chrome does have the majority market share, so this will affect nearly 3.5 billion web users (over 42 percent of the global population).
What are marketers using to replace third-party cookies?
Marketers need to shift away from third-party cookie data sources to more owned channels, which can be better controlled. There’s the added benefit that they tend to result in higher quality data and better conversion rates, though marketers do need to determine new ways of handling measurement and attribution. These changes also streamline being transparent with users, obtaining valid consent for privacy compliance, and providing better user experience.
Zero-party and first-party data are replacing third-party sources, and driving development of new tools and tactics to collect and activate these rich data sources.
Zero-party and first-party data – what they are and why they’re they are better for marketing
Zero- and first-party data are generally collected by a company about its own users and/or customers via various means. They are more targeted, more likely to be obtained with consent, and easier to provide information about as required by privacy laws.
Zero-party data – marketing gold standard
Zero-party data is so categorized because it comes directly to the company from the customer. There are no intermediary vendors or systems collecting, packaging, or processing it first. It’s also referred to as opt-in or self-reported data due to its consensual nature and customer origins.
Zero-party data is shared by customers, visitors, and users intentionally and voluntarily. This is typically prompted by the company, but with the goal to enable the customer to decide what data they consent to share, and shape their experience with the organization and its products and services.
How is zero-party data collected and deployed?
This data can be collected via many mechanisms, including:
- surveys and feedback forms
- preference inquiries about products, services, and features
- user account fields and profiles to record demographic information and preferences
- ratings and reviews
- incentives where personal data is exchanged for benefits
Customers can inform companies about how often they want to be contacted, by what medium (e.g. email, SMS, newsletter), for what purposes, and with what information (e.g. notification of sales, personalized deals, or launch of a new product). They can inform companies what they think about products or services and what they’d like to see more of. Companies can build customer profiles with detailed information on customer identity, interests, preferences, and permissions.
All of this means the data is more likely to be highly accurate. It enables very personalized marketing, and companies can demonstrate their respect for user privacy and customer preferences. This helps develop higher engagement and long-term customer relationships, which grow revenue.
First-party data – marketing work horse
First-party data is obtained slightly less directly than zero-party data and can be slightly less accurate. But it is still a big improvement in quality and maintaining data privacy compliance over third-party data. It’s sometimes referred to as customer, proprietary, owned or in-house data.
First-party data is typically collected via a company’s owned properties, like websites and apps. It isn’t directly collected from customers and users, but is collected about their activities. These services assign unique identifiers to users, and so can recognize them to enable personalized experiences, everything from login status to maintaining the contents of their shopping cart.
“First party data refers to the data we are getting directly from our customers, and this is typically considered one of the most valuable types of data that we can get because it is provided to us, it is reliable, and it is accurate.”
Sandra Wojciechowska, Data Protection Officer & Head of Consent Management, e-dialog (Consented podcast, Episode 3: Is Privacy-led Marketing the solution to the cookieless future?)
How is first-party data collected and deployed?
First-party data is largely collected from the widest variety of sources, which include:
Given how much the average person does online these days, you can see that first-party data can provide a huge amount of information about what people do, when and how they do it, and what interests them. This enables site and app optimization, audience segmentation, personalized ads and communications, and predictive modeling of browsing and purchasing behavior.
First-party data is also critical for evaluating communications and campaigns for effectiveness, determining ROI, and strategizing future efforts to best deploy budgets.
Preference management
Preference management is how zero- and first-party data are obtained and most effectively used. Your preference manager is how you collect zero-party data about customer preferences and record permissions they’ve granted. Preference management also helps fill in data gaps from loss of third-party data, and enable first-party data to be activated more effectively, e.g. via syncing across the CRM and marketing tools.
Preference management also benefits privacy compliance strategies, as granular consent can be obtained, then signaled across the marketing stack and to third-party partners to control data collection and use per the customer’s expressed preferences.
Companies should also look into server-side tagging as a way to collect, centralize and activate their zero-party data, consent, and preferences.
Learn more: What is universal consent and how does it benefit companies and their customers?
What are the risks of not updating your marketing strategy away from third-party cookies?
Privacy noncompliance due to old marketing strategies can be a risk for the whole company, both with regulatory and newer business requirements. The loss of data, audience access, and ad revenue from Google restricting access to its services, for example, could be a huge financial blow for a company. It can also tarnish your brand in the eyes of customers and prospects.
Fines, loss of data, and other penalties
Fines can be up to 4 percent of a company’s annual global revenue under the GDPR in the EU. While GDPR fines levied on big tech companies make the headlines, any size of organization processing EU residents’ personal data can be penalized for noncompliance.
Many sources of valuable first-party data, as well as ad revenue, are also at risk without evolving marketing strategy, complying with new requirements, and obtaining valid consent for first-party data processing services, like those from Google.
Government and corporate enforcement is ramping up
Data protection authorities have already begun investigations into companies the Digital Markets Act (DMA) designates as gatekeepers, including Alphabet, Apple, and Meta. Those companies are likely to make whatever changes are needed to how customers access and use their platforms sooner rather than later to protect their business interests.
To meet DMA compliance requirements, Google (Alphabet is the parent company) has made a number of changes to its requirements of its customers. These include requiring signaling of valid user consent via the use of Consent Mode v2 with a Google-certified consent management platform (CMP). Companies can work with Basic Mode or Advanced Mode, depending on their business needs and the degree to which they’ve embraced privacy-led marketing.
New requirements for Google customers
Google also now requires publishers in the EU/EEA and UK to implement the TCF 2.2 via a certified CMP if they are using Google AdSense, Ad Manager, or AdMob. Companies risk loss of access to these services’ full functionality if they don’t comply.
Google also has recommendations for tools and strategies for companies to adapt to the new ecosystem for ads and measurement. These include:
- Consent Mode (preferably via Google-certified CMP partner)
- Customer Match
- Enhanced Conversions
- Use of GA4
Google is also building on their Privacy Sandbox to enable web browsers to work in new ways to protect privacy and enable data use.
Learn more: Are ecommerce businesses ready for the new consent requirements?
Customers ain’t gonna take it
Consumers’ awareness and demands for control of their data and rights continues to grow as privacy laws spread. They are no longer passively accepting of having their data collected and used by entities they don’t know and purposes they haven’t approved. People will vote with their wallets, and are increasingly likely to end a business relationship if they don’t trust a company’s security or use of their data.
Data privacy regulations also increasingly include the right to portability, which means it’s easier for people to take their data and quit a company — probably for a competitor that may offer better products or pricing in addition to demonstrable respect for user privacy.
Companies have access to more sources and types of user data than ever before, but that means they have greater responsibility for how they access and use that data. Increasingly, around the world, there are consequences for not taking that responsibility seriously.
What is privacy-led marketing and why is it the future?
Privacy-led marketing includes everything we’ve already looked at. Tied to the idea of privacy by design, it puts privacy first marketing strategy and operations, and in customer relations. It involves embracing the benefits and competitive advantages data privacy brings to a company, rather than focusing on what you lose with third-party data, or what can still get away with and for how long.
Privacy-led marketing values quality over quantity in user data, learns when and where the right times are to communicate (clearly and right at the beginning), ask for consent and data access (and optimize these over time), and doesn’t focus excessively on what data and access companies no longer have (wasn’t the best anyway).
It values building trust by being transparent with customers and remembering that they want to know “what’s in it for me?” And of course, making it easy for them to express their preferences and manage their consent.
Privacy-led marketing thinks about the user journey, not a single opportunity. It strategizes how it can provide a continuous user experience with control, over time becoming clearer and honed for maximum benefit to the company and user, while meeting regulatory and business requirements.
“Users value tradeoffs. When we can provide them with a tradeoff that will be personalized recommendations or targeted adverts that are of interest to them, then users are more prone to share that data with us.”
– Sandra Wojciechowska, Data Protection Officer & Head of Consent Management, e-dialog (Consented podcast, Episode 3: Is Privacy-led Marketing the solution to the cookieless future?)
Smart marketers are strategizing new paths forward with the knowledge that happy customers share more data and develop more loyalty with brands, which benefits the bottom line.
These strategies focus on using the tools companies now need, like a consent management platform, Google Consent Mode, and the TCF 2.2 to maximum advantage. They understand that marketing is an ecosystem, and that consent and data need to flow throughout and control not only the company’s campaigns, but data access and use by third parties like partners and vendors.
Privacy-led marketing is the future because there is no path forward for old ways of doing things. Thanks to ever-evolving data privacy regulations and new requirements from influential platforms, old strategies are too risky, have become primitive and noncompetitive, and, ultimately, simply will not work.
Make consent management part of your privacy-led marketing strategy
Consent management has been important for some time to enable data privacy compliance, but companies need to start seeing it as one part of privacy-led marketing, if they aren’t already.
Using a high performance consent management platform (CMP), companies can not only obtain valid user consent, but they can get rich data about user interactions with consent banners. These analytics enable insights and smart optimization to increase opt-in rates. This helps offset any data loss from third-party cookie use.
For even better user experience and maximized opt-in rates, you can deploy contextual consent, asking at specific times for specific services and purposes. Visitors and customers will know exactly why you are asking for consent, and what the benefit is to them.
“Collect the right information at the right time, then we will have higher consent rates and we’ll have the trust of the users.”
– Adelina Peltea, Chief Marketing Officer, Usercentrics (Consented podcast, Episode 3: Is Privacy-led Marketing the solution to the cookieless future?)
Consent management also helps deliver peace of mind, as a solution like Usercentrics CMP can block nonessential cookies and other trackers until user consent is obtained, helping to ensure privacy compliance. It also enables customization for compliance with multiple data privacy laws, so visitors see the right banner for their location. You can even customize the language the banner is displayed in for optimal user experience while achieving privacy compliance.
Your CMP enables you to set up the required signaling for your tag manager, including Google Tag Manager. The Usercentrics and Cookiebot CMP solutions are Google-certified, so can signal consent in the necessary way to meet Google’s latest requirements.
The future of marketing is privacy-led. You’re not alone in figuring out how to embrace these new solutions. Achieve and maintain your privacy compliance while obtaining the data you need, signaling the consent that your marketing ecosystem requires, and growing your loyal customer base and revenue.
Check out the full Consented podcast, Episode 2: Is Privacy-led Marketing the solution to the cookieless future? It’s available on Spotify and YouTube.